What happened
Windows Secure Boot certificates near expiration, risking boot failures without updates as key certificates stored in the UEFI Key Enrollment Keys (KEK) and Secure Boot databases (DB) are set to expire mid‑2026, which could interrupt the trust chain used by Windows Boot Manager and third‑party loaders if devices have not received updated certificates. The issue stems from original Microsoft Secure Boot certificates issued in 2011 reaching end‑of‑life, and affected systems will require updated certificates stored in KEK and DB to ensure continued validation of early‑boot firmware and prevent potential Secure Boot failures. Although no widespread exploitation has been reported, the technical risk is that systems may reject future signed boot components or fail to apply security updates related to boot integrity unless firmware, OS updates, and certificate revocation lists are current.Â
Who is affected
Users and enterprises managing fleets of Windows devices, including desktops, servers, and virtual machines that depend on Secure Boot for early‑loader validation, are potentially affected if firmware and OS patches delivering new Secure Boot certificates are not applied before expiration.Â
Why CISOs should care
Expired Secure Boot certificates can weaken the UEFI trust chain, jeopardize protections against unauthorized early‑boot code execution, and hinder deployment of future secure updates or platform hardening, especially in regulated or high‑security environments.Â
3 practical actions
- Verify certificate updates: Confirm devices have received updated Secure Boot certificates via OS or OEM firmware updates.
- Audit firmware and OS patching: Ensure both firmware and Windows updates are prioritized in endpoint patch management.
- Test boot paths: Validate Secure Boot functionality in test environments before broader rollout to detect failures early.